May 14, 2008 Slide 4

PIV Business and

Technical Architecture

Tim Baldridge

May 14, 2008 Slide 5

May 14, 2008 Slide 6

PIV System Notional Model

May 14, 2008 Slide 7

Business Architecture Components

Identity Management

Credential Management

Access Management

Security Clearance

Security Clearance Mgmt

Facility Management

Facility Inventory Mgmt

IT Management

IT System Inventory Mgmt

E-QIP System

Investigation Management

Procurement

Contract/Agreement Mgmt

Credential Inventory

Component Supply Mgmt

Identity Management

Position AssessmentIdentity Lifecycle MgmtIdentity MaintenanceBiometrics Management

Investigation Tracking

Investigation Management PKI Management

Certificate Management

Credential Planning

Production PlanningTemplate ManagementStandards and Controls

Credential Mgmt

Credential ProductionCredential Lifecycle MgmtCredential Condition Mgmt

Human Capital Mgmt

Position ManagementOrganization/ProgramStructure Management

Asset Management

Asset Inventory MgmtAsset Group MgmtAccess Rule Management

Authorization

Community ManagementPermission Management

Authentication

Access Control MgmtAccess Authentication

Foreign National

Foreign Nationals Mgmt

May 14, 2008 Slide 8

Shared Component Architecture Concept Diagram

May 14, 2008 Slide 9

PIV Data Flow

PACS

Certificate Authority

May 14, 2008 Slide 10

FIPS 201-1 Logical Credential Model

• Manditory PIV Data Elements– A PIN – A CHUID – PIV authentication data (one asymmetric key pair and

corresponding certificate) – Two biometric fingerprints.

• Optional PIV Data Elements – An asymmetric key pair and corresponding certificate for digital

signatures – An asymmetric key pair and corresponding certificate for key

management – Asymmetric or symmetric card authentication keys for supporting

additional physical access applications – Symmetric key(s) associated with the card management system.

May 14, 2008 Slide 11

PKI – Is Key!• Compliant PIV Card Certificates:

– Issued only from a CA in the Federal PKI under FPKIPA Common Policy

– Contain Application Object Identifiers (OIDs) Specific to each Data Model Element Certificate Type

• PCI PIV Digital Signatory – Issued only from a CA in the Federal PKI under

FPKIPA Common Policy– Signed PIV Data Model Elements

• CHUID• Fingerprints• Security Object• Photo

May 14, 2008 Slide 12

Identity Assurance Authentication Levels

• SOME Confidence — A basic degree of assurance in the identity of the cardholder

• HIGH Confidence — A strong degree of assurance in the identity of the cardholder

• VERY HIGH Confidence — A very strong degree of assurance in the identity of the cardholder

May 14, 2008 Slide 13

Identity Assurance Authentication Levels (cont.)

, PKI

, PKI

May 14, 2008 Slide 14

Card Authentication Certificate Enabled PACS Readers

• Challenge Is To PKI Enable Legacy PACS Door Readers

• Legacy - Two Step Mechanism– Enroll PIV Card With Full PKI To Head-end.– Hash Of Cert Or Public Key With FASC-N To Panel

• Next Generation - Full PKI Revocation Check At Each Access Point.

May 14, 2008 Slide 15

Take-Home…

• For More Than Some Confidence…– Validate Digitally Signed Objects– Validate Signer Certs To FPKIPA Root– Validate All Certs In Path Are Not Revoked

• Including both Logical and Physical Use Cases